hosts/aubergine/networking.nix

   1 {
   2   pkgs,
   3   lib,
   4   config,
   5   ...
   6 }:
   7 with (import networking/names-and-numbers.nix);
   8 {
   9   imports = [
  10     networking/ftth.nix
  11     networking/ethernet.nix
  12     networking/wifi.nix
  13     networking/lte.nix
  14     networking/nftables.nix
  15     ../../nixos/profiles/dnscrypt-proxy2.nix
  16     ../../nixos/profiles/printing.nix
  17     ../../nixos/profiles/networking/ssh.nix
  18   ];
  19   install.substituteOnDestination = false;
  20   networking.domain = "sp";
  21   networking.useDHCP = false;
  22
  23   boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
  24   networking.nftables.ruleset = lib.mkAfter ''
  25     table inet filter {
  26       chain input-lan {
  27         meta l4proto { udp, tcp } th dport domain counter accept comment "DNS"
  28         meta l4proto { udp, tcp } th dport bootps counter accept comment "DHCP"
  29       }
  30       chain output-lan {
  31         # net.netfilter.nf_conntrack_udp_timeout_stream is only 2min
  32         # whereas a renew is ~1h after the initial connection.
  33         meta skuid ${config.users.users."systemd-network".name} \
  34           meta l4proto { udp, tcp } th sport bootps \
  35           meta l4proto { udp, tcp } th dport bootpc \
  36           counter accept comment "DHCP rebinding/renewing"
  37       }
  38       chain forward-to-lan {
  39         #jump forward-connectivity
  40         counter accept
  41       }
  42       chain forward-to-net {
  43         #jump forward-connectivity
  44         counter accept
  45       }
  46       chain forward-from-net {
  47         ct state established accept
  48         ct state related accept
  49         log level warn prefix "forward-from-net: " counter drop
  50       }
  51       chain forward {
  52         log level warn prefix "forward: " counter drop
  53       }
  54     }
  55   '';
  56
  57   networking.networkmanager.enable = true;
  58   services.avahi = {
  59     enable = true;
  60     openFirewall = true;
  61     publish = {
  62       enable = true;
  63       addresses = true;
  64       domain = true;
  65       hinfo = true;
  66       userServices = true;
  67       workstation = true;
  68     };
  69     reflector = true;
  70   };
  71   # WARNING: settings.listen_addresses are not merged...
  72   # hence there all defined here.
  73   services.dnscrypt-proxy2.settings.listen_addresses = [
  74     "127.0.0.1:53"
  75     "[::1]:53"
  76     "${eth1IPv4}.1:53"
  77     "${eth2IPv4}.1:53"
  78     "${eth3IPv4}.1:53"
  79     "${wifiIPv4}.1:53"
  80   ];
  81
  82   services.openssh.settings.X11Forwarding = true;
  83
  84   services.vnstat.enable = true;
  85
  86   systemd.services.sshd.serviceConfig.LoadCredentialEncrypted = [
  87     "host.key:${ssh/host.key.cred}"
  88   ];
  89
  90   programs.wireshark = {
  91     enable = true;
  92     package = pkgs.wireshark-cli;
  93   };
  94 }